MS02-026: Unchecked Buffer in ASP.NET Worker Process

Title: Unchecked Buffer in ASP.NET Worker Process (Q322289)

Date: 06 June 2002

Software: .NET Framework

Impact: Denial of service, potentially run code of attacker"s choice

Max Risk: Moderate

Bulletin: MS02-026

Microsoft encourages customers to review the Security Bulletin at:

https://www.microsoft.com/technet/security/bulletin/MS02-026.asp

ASP.NET is a collection of technologies that help developers to build web-based applications. Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes.

One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost.

View: Microsoft Security Bulletin MS02-026

Report a problem with article
Next Article

2 Hardware Reviews. iMac & Screen

Previous Article

AMD Opteron tiptoes into Intel server space